The stunning figure represents about a third of all American adults at the low end, and is nearly three times as great as the company's original estimate at the upper end. The theft is one of the largest ever of retail data.

In Australia, Target is owned by listed conglomerate Wesfarmers and apart from sharing a brand, has no links to the US retailer.

Not only did Target's announcement disclose a vastly expanded universe of victims, but it revealed that the hackers had stolen a broader trove of data than originally reported. The company now says that other kinds of information were taken, including mailing and email addresses, phone numbers or names, the kind of data routinely collected from customers during interactions like shopping online or volunteering a phone number when using a call centre.

Advertisement

Advertisement

On December 19, Target confirmed reports that payment data was stolen from about 40 million customers who shopped in its stores in the US from November 27 to mid-December.

As its investigation into the theft continued, the company said it had found that an additional quantity of data, collected over time on 70 million people and stored separately from the in-store data, was stolen.

The latest subset of potential victims includes customers who may not have shopped at Target during the holiday period. Though there is probably overlap between the two groups, the company said it did not know the extent.

When Target's security breach became public in mid-December, customers flooded help lines, the company's website and Facebook page expressing worry and irritation. And it now appears that wary customers steered clear of Target stores during the last days of the shopping season, as suggested by the company's statement on Friday that sales declined noticeably after the disclosure.

The effect of the data theft has reached far beyond one of the largest retailers in the US. Major credit card companies and banks have been issuing warnings about potential fraud to their customers and providing them with new cards and account numbers as a precaution. Some banks have limited cash withdrawals. As banks and companies continue to monitor accounts for suspicious activity, the Secret Service and the Justice Department have opened an investigation.

''This will impact many Target business partners - Visa, MasterCard and the host of banks and credit agencies that now have to keep an eye on the 110 million customers now vulnerable to identity theft,'' said Hemu Nigam, founder of SSP Blue, a security and privacy consultant.

''It affects more than Target customers, it affects mortgage lenders and car sales. It affects the entire economic infrastructure.''

Fraud experts said the information quickly flooded the black market. On December 11, shortly after hackers first breached Target, Easy Solutions, a company that tracks fraud, noticed a ten to twentyfold increase in the number of high-value stolen cards on black market websites, from nearly every bank and credit union.

The company apologised for the broadening violation of its customers' privacy. ''I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,'' Target chief executive Gregg Steinhafel said.

Security experts say clever hackers could piece together customers' stolen information for identity theft or for use in a spearphishing attack, in which hackers send highly tailored emails to victims asking them to click on a link or download an attachment that, once opened, gives hackers a foothold into their computers and employers' networks.

Target has been working with a forensics team at Verizon, and it has also consulted with Mandiant, the security firm specialising in data breach recovery, which recently agreed to be acquired by FireEye, the security software company, for close to $US1.1 billion ($1.2 billion).

After the initial breach, Target said it had protected customers' payment information with encryption and that it had stored the keys to descramble it on separate systems not affected in the breach. But the encryption algorithm Target used to protect that data - a standard known as triple DES, or 3DES - is vulnerable in some cases to so-called brute force attacks, when hackers use computers for high-speed guessing.

In a breach on Adobe last year, hackers were able to bypass 3DES encryption through brute force attacks and exposed tens of millions of Adobe passwords within weeks of the breach.

On Friday, a Target spokeswoman would not comment on whether the second batch of information stolen from its 70 million customers was encrypted. In Adobe's case too, the number of stolen records was significantly larger than the company initially reported. When Adobe first reported the breach in October, it said hackers had gained access to payment card and personal data for 2.9 million customers, including user names and passwords. By the end of the month, the tally had grown to more than 38 million.

The most extensive data breach on record for a retailer was the theft of 90 million records from T.J. Maxx in 2005. The biggest breach overall, was in 2009 when card processor Heartland Payment Systems was targeted and 130 million credit card numbers were stolen.

The number of Target customers exposed could still grow. ''Like a natural catastrophe, usually a low number of breached records is reported and, as the story unfolds, the number of compromises grows and grows,'' said Anup Ghosh, founder of Invincea, a security software company. ''In Target's case, what this highlights is that the point-of-sale systems customers use to swipe their credit cards are connected to the corporate network like everything else.''

New York Times

6 comments

Why do they collect our details at all? A wimpy frequent-flyer or rewards club is no excuse.

This is 2014 ffs and yet they still neglect to keep personal data safe. That is why I don't exist on facebook, twitter, email, etc. 10 Minute Mail to beat the spammers, TOR, etc,

Your credit card has no PIN or identity security at all, yet most online web sites conveniently "remember" all the details you enter.The credit card verification number (CVN) is a pathetic nod to security but is no more secure than dropping the card on the street.

Anyone had those mysterious $1 overseas deductions?

Internet transfer is one-way and way safer.Cash is still king.

Commenter

johnno

Location

Fakeville

Date and time

January 13, 2014, 12:39PM

This is why you don't supply your primary email account to anyone, you can use up to 4 aliases on most ISPs (the only person why has my primary email address is my ISP). This is why you use debit, not credit cards, especially when you are online. Post office boxes are also a fairly cheap option to keep your address more secure. You may not ne able to use all these options on every site, but a combination is normally available. The simplest thing though is to consider the cost of what you do online, and if the cost is likely to be too high, simply don't do it. Get off your bum, do it in person, use cash wherever possible. Laziness is going to cost you in the long run.

Commenter

Les

Location

Hawken

Date and time

January 13, 2014, 1:19PM

C'mon guys, this is a no brainier! Make it illegal for companies to ask for excessive amount of information and there won't be anything to steal. Don't have it so on every single ridiculous form asks for your sensitive details, don't ask people for their private details on the phone so they can be overheard, use one time payment methods, and please please create a body that has the ability to stop your identity making transactions when your details have been compromised.

This is only complex and difficult for dinosaurs that have no place running organisations and governments today - they can not shoulder the responsibility for their customers information!

Commenter

Payback

Location

Sydney

Date and time

January 13, 2014, 5:22PM

Privacy is not complex at all you need are the right tools to make sure that your Privacy is protected. In a recent Interview of CyberGhost VPN's CEO Robert Knapp told Bestvpnservice that NSA and other spying agencies spy on us because we let them spy on us. We need to empower ourselves to fight these agencies. Source: http://www.bestvpnservice.com/blog/an-interview-with-cyberghost-vpn-ceo-robert-knapp/

I believe that any form of encryption can save you from hacks and common sense can help you save from stolen identities and data. NoT EVERYTHING IS MEANT FOR THE INTERNET.

Commenter

alifaizan

Location

karachi

Date and time

January 13, 2014, 5:58PM

I often wonder if these companies are truly hacked or is data sold. Selling data has become another revenue stream

Commenter

pete

Date and time

January 13, 2014, 6:10PM

70-100m accounts ? There's only about 250m adults in the entire US. So either about 1 in 3 adults shop at Target, a statistic I find unlikely, or Target are maintaining or accessing a database that contains details of more than their direct customers.

Subscribe to IT Pro

Editor's Choice

Prime Minister Tony Abbott has bolstered Malcolm Turnbull's ministerial duties, handing him greater responsibility for e-government in a push to expand the use of a single digital identity for Australians.

Data

The new roof that spans Margaret Court arena does more than keep out the weather. Built into the gantries that surround the sliding ceiling are Wi-Fi antennas that beam web access to every ticket holder.